Medical and personal patient data from Innomar Strategies – a major Canadian pharmaceutical company – was stolen following an intrusion into the parent company’s computer system. Potential victims interviewed The Press did not know that this company had access to this sensitive information.
Published at 12:59 a.m.
Updated at 5:00 a.m.
“I have already had my information stolen with the leak from Desjardins and now I learn that it is the information in my medical file that would have been stolen from a company that I do not even know,” says a patient who does not does not want to be named, for fear of breaking the bond of trust with his doctor.
Since being diagnosed with cancer a few years ago, the man has undergone a battery of treatments and participated in several studies.
“I assure you that everything goes quickly when we find ourselves in this situation. The doctor offers us programs and we sign what is necessary to access the treatment. I tell myself that I must have signed something that caused my information to end up with this company. »
The company in question is Innomar Strategies. This Canadian subsidiary of Cencora – an American drug distribution giant which was called AmerisourceBergen until last year – manages dozens of patient support programs (PSP).
PSPs are programs that operate outside the public health network and monitor the use of expensive specialty medications that treat complex illnesses. In order for a patient to participate, the doctor usually has them sign a consent form.
“Extracted data”
At the start of the week, Innomar sent a letter to patients in which it explained that it had noted that “data was extracted” from the parent company’s computer systems on February 21, 2024. It assured that it had taken control measures and investigated “with the help of police forces, cybersecurity experts and external lawyers”.
Result: in April, the company concluded that information had “been affected by the incident”. Nearly two months passed before Innomar contacted its patients.
The letter sent by the company explains that patients’ personal information – name, email and postal addresses, telephone number, date of birth, etc. – are at risk, but also their medical information.
In the missive, it is written: “Based on our investigation, personal information, including personal health information, was affected, including possibly […] the location of services you received, your diagnosis/condition, medications/prescriptions, medical record number, patient numbers, health insurance number, signature, laboratory results and history medical. »
“There is nothing reassuring about it,” confides a patient who does not want to be named so as not to harm the doctor who made her sign the form to enroll her in a treatment program. She receives doses to combat a skin disease. “I really wonder what medical information they hold and what someone can do with my information. »
She adds: “It’s a strange feeling because it bothers me more than if it was financial information. From what I understand, they have access to my blood tests, my diagnoses… This is information that only me and my doctor should have access to. I didn’t even know the company had access to this information. »
Not surprising
Cencora’s director of public relations, Mike Iorfino, sent an email to The Press in which he essentially summarizes what is detailed in the letter sent to patients. As a result, it was impossible to know the number of Canadian patients whose data was potentially exposed.
It adds that there is “no evidence that the information was publicly disclosed or misused for fraudulent purposes” and assures that Cencora and Innomar provide patients with access to resources “to help them protect their information.
A major Canadian player in the pharmaceutical industry, Innomar manages dozens of patient care programs funded by drug manufacturers such as Abbvie, Bristol-Myers, Pfizer, Sandoz, Sanofi and Takeda. The company also owns hundreds of infusion clinics and pharmacies across the country.
Cybersecurity specialist and lecturer at the University of Sherbrooke Steve Waterhouse is not surprised by the event.
There is a significant resale market for medical information, because it is mainly used to supplement other records that can be used for identity theft.
Steve Waterhouse, cybersecurity expert
“Someone adds information of another nature that they can cross-check with that coming from leaks from Desjardins, Capital One, Bell, Facebook, Videotron, etc. “, he specifies.
In recent years, several thefts or data leaks have targeted medical data, he emphasizes. He cites the recent example of the theft of personal data of patients from five Ontario hospitals following an attack targeting Transform, the organization that manages the IT services of these institutions.
